A serious vulnerability affecting older variations of BlackBerry’s QNX Actual-Time Working System (RTOS) may enable malicious actors to cripple and achieve management of a wide range of merchandise, together with automobiles, medical, and industrial tools.
The shortcoming (CVE-2021-22156, CVSS rating: 9.0) is a part of a broader assortment of flaws, collectively dubbed BadAlloc, that was initially disclosed by Microsoft in April 2021, which may open a backdoor into many of those units, permitting attackers to commandeer them or disrupt their operations.
“A distant attacker may exploit CVE-2021-22156 to trigger a denial-of-service situation or execute arbitrary code on affected units,” the U.S. Cybersecurity and Infrastructure Safety Company (CISA) said in a Tuesday bulletin. As of writing, there isn’t any proof of energetic exploitation of the vulnerability.
BlackBerry QNX know-how is used worldwide by over 195 million autos and embedded programs throughout a variety of industries, together with aerospace and protection, automotive, industrial autos, heavy equipment, industrial controls, medical, rail, and robotics.
BlackBerry, in an unbiased advisory, characterised the problem as “an integer overflow vulnerability within the calloc() operate of the C runtime library” affecting its QNX Software program Growth Platform (SDP) model 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Security 1.0.1. Producers of IoT and OT units that incorporate affected QNX-based programs are suggested to use the next patches –
- QNX SDP 6.5.0 SP1 – Apply patch ID 4844 or replace to QNX SDP 6.6.0 or later
- QNX OS for Security 1.0 or 1.0.1 – Replace to QNX OS for Security 1.0.2, and
- QNX OS for Medical 1.0 or 1.1 – Apply patch ID 4846 to replace to QNX OS for Medical 1.1.1
“Make sure that solely ports and protocols utilized by the appliance utilizing the RTOS are accessible, blocking all others,” BlackBerry suggested as mitigations. “Observe community segmentation, vulnerability scanning, and intrusion detection finest practices applicable to be used of the QNX product in your cybersecurity atmosphere to stop malicious or unauthorized entry to weak units.”
In a separate report, Politico revealed that BlackBerry resisted efforts to publicly announce the BadAlloc vulnerability in late April, citing folks accustomed to the matter, as a substitute deliberate to privately contact its prospects and warn them concerning the subject — an method that would have put a number of system producers in danger, as the corporate could not determine all the distributors utilizing its software program.
“BlackBerry representatives advised CISA earlier this yr that they did not consider BadAlloc had impacted their merchandise, though CISA had concluded that it did,” the report stated, including “over the previous few months, CISA pushed BlackBerry to just accept the dangerous information, finally getting them to acknowledge the vulnerability existed.”